Posts by Lee D 4793 publicly visible posts • joined 14 Feb 2013
The robocallers cost them nothing.
The call costs them pence.
About the only thing they're paying for is the person to listen to it, likely way below minimum wage in a foreign country somewhere.
And yet they wasted how much of your time, and what's your normal hourly rate?
International friends have any number of ways of contacting me. It can be as simple as "leave a message".
Withheld calls? Sorry, blocked. They literally don't even ring. If you don't want to tell me who you are, I have no interest in talking to you. If you can block them officially or with the message "This number doesn't answer withheld calls"... problem solve. Guess what... if it's important, they still have to contact me anyway. Which means not withholding their number, or contacting me some other way.
For a) that's easily solved. For b) it's literally *their* problem, not mine.
Do you think I live in a bubble and don't have those things? Most of the time such places don't even HAVE my number. The local council certainly don't. And if they're too dumb to set the CLI on their switchboard to the main council building number, etc., then I literally don't trust them with my data.
What do you think they do for the old deaf people, those who are out all day and don't have an answering machine, those who don't speak English, those who don't own a phone at all? Life goes on just the same.
I agree, for most people VoIP is basically optional.
But we would need a ruling saying that if you're replacing or ONLY offering to supply a line to a household via VoIP... then it becomes their only method of communication not by choice and you're a utility provider.
Soon, though, the whole thing will be moot... one of "internet connectivity" and "phone access" has to be classed as a utility or you're going into a world of pain where everyone has to do everything like taxes, etc. online/by the phone and neither of them will have any kind of guarantee of availability, let alone actual service levels.
The days of needing a copper wire to dial emergency services are probably over, yes, but there's still a need for something else.
Please describe how that's any different from the state-of-the-art, quantum-effect-reliant, billions-of-transistors electrical-number-cruncher in front of them when they are just "clicking on the box" anyway?
1) You can't expect people to understand how everything they use works, beyond a primitive knowledge (like my knowledge of the internal combustion engine... I can draw you all kinds of diagrams, I wouldn't have a clue how to go about making one actually work though)... and that's *at best*.
2) Most people, even if they could, don't care about how the machine works.
3) The DNS / IP system is nothing but a pretty layer over ugly technicality anyway. It literally exists so people can type in things like google.com and have stuff happen.
4) Nobody has really cared about the www. part for years, possibly decades... exactly the reason some sites don't serve the base domain only the www subdomain, or vice-versa. Don't even get me started on emails going to [email protected]
5) SSL CA's have always included one where you request the other. It's literally that common.
5) Unless you have a really good reason, I can't see why the base domain or the www. should do anything different to each other. When someone accesses port 80/443 of your IP, surely you want to send them to your website, no? I can understand not advertising, say, server1, server2 etc. subdomains, that are used internally to serve the content, but what are you expecting someone who just types in yourdomain.com or www.yourdomain.com to do differently?
6) The pool.ntp.org example is a classic "techy" solution - I know, because I run a bunch of servers for them. And typing in pool.ntp.org will send you to a random-guys web port of a random time server. I'm pretty sure that's not a very bright idea at all and they should have used an entirely differently sub/domain. For example, pool.ntp.org and www.pool.ntp.org should go to the website. But time.pool.ntp.org gives you a time server. No different to how mail.domain.com (or equivalent) should be your mail server, or smtp. or time. etc. - not just using the raw domain for that (because then it's tricky to separate one service from the other when you want to migrate one to an entirely different IP and you end up hard-coding IPs into things like SPF records rather than use mail.domain.com and then give that an A record to point to a different IP)
You can't cover up decades of convention, tradition and bad design *now*, as an excuse for a browser doing what some browsers have been doing for years. Especially not when apart from real-oddballs like NTP pool (who really should have done it better) hardly anyone could ever be affected. Now, if the edit didn't give you the full URL when you went to copy/paste but the shortened version instead... yeah, then I'd have serious issues with it.
So if you can fake packets to the nameservers coming from the IP in question, intercept the response and break it into pieces and modify the second piece, and then forward that on as if you were the original nameserver WITHOUT (or presumably BEFORE) the original nameserver packet returns... and you do this all while someone is trying to verify their domain (or else you're generating an awful lot of emails from CAs to the victim in question which will raise their suspicion), then you could get a fake cert with their name on?
Seems to me that there's a lot easier ways to cause damage in that situation, not least just proxying / intercepting / modifying / falsifying every little packet in question including - EMAILS coming into their mailservers, which you could use to activate a domain.
An attack, yes. One solved by DNSSEC already, no need for some fancy fix. One that hinges on what we've always known was the primary assumption - that DNS is authoritative (if these guys can proxy between you and the root and modify DNS with IP-spoofing, nobody who connects to your secure site is safe anyway). One fixed by fixing that assumption not making up ever-more-complex rules. Things like... the ACME protocols used by LetsEncrypt, for instance.
"It seems easy, doesn't it? But you're going to have to use the same data set and so on every time and that will be difficult. Games? You're going to have to find a way to cycle exactly the same game sequence."
Gosh. If only lots of games allowed you to play saved replays since, say, the days of Doom/Quake.
The second the program you run is NOT the game the user will run, it can be detected (hell, my nVidia drivers do it automatically and "patch" shaders in games that it recognises... and you can tell it to force Intel Optimus for one program and nVidia for another. If nVidia can do it for game settings profiles, they can do it for benchmark programs to cheat. But try cheating when the game being run is the game being benchmarked and the only difference is that the reviewer loads in a replay of a game that he's created on one machine and loaded on all the others (so you can't even detect a "standard" benchmark replay file, etc.).
And what kind of insane person would benchmark email (but it's very easy to do)? You would benchmark, say, Chrome against a WebGL test suite. Good luck detecting that, especially if you use a different test suite for each review (not each device, but each comparison of devices).
Comparing review models is really easy. Hell, you don't even have to load a huge set of licensed benchmark suites on every machine to do so. Literally a Steam account with a bunch of games... just like... a user with a bunch of games on Steam.
With phones etc. it's even easier - have a profile of the App Store apps you're pushing down to them and push down the same apps on them all.
As soon as you get into "benchmarking software", it's a lazy review. It's "let's just load this and check the number". Not, as stated, the temperature, CPU usage, whether it's getting priority, real-world use, etc. etc. etc.
Or just stop using fabricated benchmark that aren't indicative of much, and run the programs that people are likely to run directly.
That way any "cheat" is then available to the users the same as the benchmarkers, any performance enhancement causing battery use or higher temperatures, or cheaper shaders, etc. will also impact on normal use of the product, etc.
Benchmarks are a silly idea because nobody wants to know the raw integer performance of a processor nowadays. It matters not and is hugely complicated by a myriad other factors (e.g. multi-processing, throttling, etc.).
"How well does it run...(insert top-end stress-testing commercial software here)". In the PC world, that's whatever new game gets lowest FPS on everyone else's card. On a mobile? No reason you couldn't do a benchmark via something like Chrome / WebGL rendering, popular gaming apps, etc.
It's like "fancy" interview questions. All you're doing is hiring people good at answering "fancy" questions.
Rely on fabricated benchmarks and all you're doing is buying phones good at winning fabricated benchmark tests.
But buy a phone that plays the equivalent of GTA V at 120fps on Ultra (or whatever), and you get... a phone that'll play that game like that. And it's hard to cheat that *AND* the next game in the series *AND* that other demanding game *AND* the game from 10 years ago without... making a phone that's generally good all round at that kind of activity.
Benchmarks never meant anything back in the Dhrystone/Whetstone days, they don't mean anything now.
And Microsoft Eire disagreed and it would take an EU court ordering them to do anything to make it legal.
Microsoft US might even *go to jail* for not complying with the US order. But it's an order that's impossible to fulfill for them. Literally, any employee of Microsoft Eire who allowed, facilitated, permitted, assisted or even provided an avenue for Microsoft US to get such data is breaking the law in the country they live in. Whether before, during or after that court case. And as they are separate legal entities, they would not be able to actually co-operate to do anything anyway. No more than Microsoft could ask Google to "just give us your data".
The US court could rule that Microsoft Eire is now a badger and the property of the US. Nothing would or could happen about that. The legal jurisdiction for such actions always did, still does, and probably always will end at the border of the US. If they want data from an EU company, they can write to the EU court. Or make ridiculous, unenforceable orders to their heart's content.
And if Microsoft US could obtain the data with a warrant, for damn sure the FBI could apply for the same warrant and get it themselves (which is an argument you could use in court... why am I being required to act as your policeman over a third-party that you could serve yourself?).
It always was a nonsense case. The Cloud Act doesn't change that in any way - in fact it recognises that position, gives such companies the right of appeal on that basis, and was the reason that the original case was shut down... because the Cloud Act existed to basically say "No, that's not how it works".
It doesn't matter.
US courts can order people to break EU law to their heart's content.
It still means that ANYONE complicit with that action is chargeable under EU law. Hence nobody stupid enough in the EU with access to such data would ever risk prison just to please their boss.
Additionally, it's LITERALLY no different to saying "Microsoft US must produce Google South Africa's data". It's a nonsense, it's impossible, it can't be done, and nobody at Google South Africa, or Microsoft EU, could ever or would ever comply.
It's like drafting a US law saying "It's fine, you can fly over to France and mug Europeans". Maybe the law could make that fine for US people in the US. But the second you go and do that in another jurisdiction, the French are going to have something to say about that, and your US court isn't going to be able to help you with the consequences.
Not quite
Microsoft EU and US are two different companies.
No formal request was ever filed in an EU court for access.
The US just "expected" Microsoft US to be able to instruct Microsoft EU (an entirely different company) to comply with their demands even though such demands are illegal in the EU (without a court order saying otherwise).
The US Supreme Court dropped their action because the Cloud Act came in which basically says "You will go through the proper EU channels if you want EU etc. data":
https://www.theverge.com/2018/4/5/17203630/us-v-microsoft-scotus-doj-ireland-ruling
That's something that could have ALWAYS happened.
Cloud Act: "Principally, it asserts that U.S. data and communication companies must provide stored data for U.S. citizens on any server they own and operate when requested by warrant, but provides mechanisms for the companies or the courts to reject or challenge these if they believe the request violates the privacy rights of the foreign country the data is stored in"
Microsoft (US) do not own or operate any servers in the EU. Microsoft (EU) do, and aren't subject to US jurisdiction unless an EU court rules as such.
P.S. The Cloud Act applies only in the US. No other jurisdiction has ever signed up to it, or could, it's just not relevant. Still, Microsoft EU could refuse to produce data stored under EU laws.
Nothing's changed. Business as usual. But now Microsoft (US) don't have a court case because their position is now clarified in (US) law.
Ironically, since day one, if the US had just issued a request to the European Court stating their need and purpose for that information (the FBI was involved, so presumably serious), they could have easily obtained access to that data 100% legitimately at any time.
Nobody has to hand data stored on an EU server to the US without an EU court order. And vice-versa.
Personally, I'm quite happy with not being able to get a better deal than others.
It makes the process so much easier, because NOBODY has any choice, and it's not worth the faff.
That doesn't mean "we should all pay inflated prices", but "normal customers get the same deals as those who are just more diligent" isn't a bad thing.
As you hint: People don't move until there is sufficient gradient difference to overcome friction. My times costs money and saving £10 a year on electric isn't worth any amount of the most minor research and clicking buttons and tracking who I need to pay now. But when there is a differential, I invest time and effort to get a better deal.
Not having those deals means that the differential becomes zero. So we all get a decent deal. I don't spend time faffing. And electric "just costs that much". If it's too much, I'll find another utility. Same way that when phone+broadband+TV cost too much, I just bought a 4G Wifi box.
But it's a nonsense to suggest that screwing over little old grannies whose son set them up on the deal 10 years ago (and who might not be around any more!) when they don't know they could save hundreds is a good thing for any one involved. Price controls exist to protect the vulnerable like that.
Personally, I think the whole thing would be a damn sight easier if we all just paid one rate for electric from one supplier. Average it out over the country, make it so that companies make decent profit (or else they won't want to take part), everyone gets the same deal, sorted.
The time, effort and faffing saved if we did that for all such utilities would translate to everyone having more time/money.
As someone who cut £300 off my car insurance this year (literally an annual "GoCompare" so I did nothing fancy), doesn't have gas, a phone, landline broadband, a TV, etc. I assure you that I know how to save money. But for the most part it just isn't worth the time and effort, and when it is, it's for unfathomable and unrealistic reasons (e.g. my car insurance is still BISL... I just changed the company that administers on the front end with the EXACT SAME details... saved £300... there's no sense in that whatsoever... Halifax lost a customer for nearly £800, rather than lose £300, and their rival RAC picked up £500 for doing nothing but running a front-end on an existing insurer with the same details. The real irony is that the RAC included breakdown cover which I was paying for as an extra with Halifax... from the RAC...).
I wanted an electricity supplier change, but they would need to call someone out to do it because of the archaic meter. Turns out that just one day spent home waiting for them is about 3 times the cost of anything I'll save in the first year. And I might not be here in 3 year's time. And that's assuming the company I go to don't raise their prices in the future.
It's a false economy to suggest that having these companies "play off against each other" is doing anything to lower prices at all, even for the deal-seekers.
The government fixing the prices kills the commercial market overnight and customers pay what they would have paid anyway, without the faffing and advertising and paperwork and admin and duplication of effort that all those companies are doing to "win" customers, not to mention shareholder deals etc. It also means we can all just get on with our lives and not have to waste time changing suppliers and checking prices in the first place. Hell, it would kill all the price comparison sites overnight too. What's to compare?
I think it's just a placebo, "getting the best prices". If you fail to do it, sure you will lose out. But doing it doesn't mean you'll get something any better than what you'd get with just blanket regulation and fixed prices. Just the sheer removal of so many private-owned, shareholder-paying, corporate middle-men should remove enough to get you a better price that ever. The trick is to "nationalise" without letting government cronies get their 10% either. You can only do that with transparency and calling them out, and yet no-one cares that most ministers are profiting from exactly the industries they are supposed to be regulating because there's a bit of paper somewhere that says that.
As someone who has blacklisted most of the high street banks due to (admittedly) generally isolated cock-ups, I can tell you there are still plenty of options. Especially for tech savvy.
I abandoned Barclays after the university branch (the only bank allowed to have one) refused to pay a Barclaycard (separate company I know) debt using a Barclays-issued grant cheque, in my name, provided to me from that same branch by the university itself, unless I also took out a Barclays current account. Despite, for three years, them doing the same every single month without question or ID.
I abandoned NatWest after they couldn't sort out, in the early era of online banking, an online banking that didn't require IE and ActiveX and never worked in Netscape even though they said it would.
I abandoned HSBC after a guy in the branch literally laughed in my face when we gave him the details while applying for a mortgage. So we went next door, to a mortgage lender, who approved us on the spot and was paid on-time every month for several years until we moved (and then it was paid off in full).
I've actually been put onto Monzo by someone on these forums. Sign up via an app (just a photo of your ID is needed). Get a full UK bank account under the same financial guarantees as any other, regulated by the same authorities. No monthly charges. Everything you would normally want (DD/standing order/transfers/etc. etc.). You get a Mastercard on the account sent to you. You can manage everything online. Even just drag-and-slide an overdraft or freeze your card yourself if you lose it.
Sure, there's probably a downside somewhere that I'll discover in time. And then maybe it'll be so insurmountable that I'll move my money again. But if you stay with the rubbish companies even through their failures (surely they must be asking "how many accounts have we lost over this?" at some point), then they'll fix their stuff next time, or you'll recognise how much you meant to them. While you do the "oh, but it's so complicated to move" when a free bank will give you an account in a matter of hours from just a photo of your ID, move everything under the current account switch guarantee so you never have to change anything, and then allow you to do that again if something happens, the other banks have NOTHING to care about in order to retain your custom.
Same for car insurance etc. My renewal this year was THREE TIMES what a rival company was charging. And that rival company was underwritten by the same firm. They literally care more about new customers than existing ones of many years. So show them what such loyalty gives back... all their customers flee for elsewhere as they have NO distinguishing features, except negative ones (i.e. nothing works or they cost more than everyone else).
Four words for you:
Current account switch guarantee.
Savings accounts - well, you shouldn't be dipping into them for every little thing anyway, but I'd also think about whether you want your savings in a bank that can't get IT working and is losing hundreds of millions of pounds in fees alone, let alone what it's cost them in terms of lost business.
When they're already charging something like 4 or 5 times the production cost for the phone, they can damn well afford to give out some free replacements to fix their own mistakes.
The question is: Why would you want to buy a device from a company that makes such mistakes, uses your money to fix them, and then still charges over-the-odds for the device, AppleCare, etc. and STILL makes the largest profit of just about any business in the world?
Everyone has to make a profit. Sure. But Apple literally make disgusting amounts of money from their customers, whom they could have twice as many of if they charged a sensible price.
Seems to me that many companies totally fail at "design" instead opting for "designer".
Just about everything about the Metro interface and similar "redesigns" gets in my way, removes productivity or just plain annoys and frustrates.
I'd honestly rather programs stuck to their core purpose, provided the simplest way of doing that, and honestly ditched everything else in terms of UI.
What annoys more - we still don't have "theming". Not properly. Sure, I can change the wallpaper and the border colours, but where's the option saying "I want this to look like Windows 95 / KDE / etc." that blanket-applies to all programs? It's all third-party software, like Classic Shell, etc. and overriding what Windows allows. Same for Office. Gimme an "Office 2000 theme" that looks, works and has menus like Office 2000. They just run the same damn functions under the hood, sure, but at least they could let you lay out your preferred interface to do them.
I honestly don't care about your "designer" stuff. The second it isn't to my taste, I start ditching the program. And because you can't account for everyone's taste, don't. Provide options. Let people choose. Focus on the core product - how do I send audio/video over the net nice and fast. Everything else is none of your business and pointless trying to control how "my" desktop appears.
I am more concerned that account data is stored in a manner by which an off-by-one on the customer index just gives you all the access to that other data no matter who you are (i.e. poor permission control) and that there's no attempt to test that customer indexes match across tables (i.e. that you put in a "where this.index = that.index" kind of clause that would just return empty results if you mess up one of the indices.
I'm more concerned however that modern companies are still just keeping huge tables of customer data that even they don't need access to in that manner, where a slip of a coder's finger results in actual real results of other customers.
We're still just designing these systems incorrectly, shoving everything as rows into the same tables with no thought of restricting data.
Hint: If your customer index table contained nothing more than an index and a decryption key, and your customer address table contained only an unencrypted index and everything else encrypted, then index-mismatches like this would stop you hitting this class of bug. Not everything, but the simple things at least.
Or permission controls. Or some kind of audits and checks rather than just trusting the result out of the database. Some kind of script checking why suddenly 10,000 accounts are returning different data to ten seconds ago, after you just updated, etc. etc.
But, no, lob it all "in the database" and just blindly spaff results around with no checking.
Who cares?
Say my messenger program is legally required to copy all messages. It's now an untrusted communications medium.
What do we do with untrusted communications media? We run encryption over them to produce a tunnel for a trusted communications medium.
In messaging it's called "OTR" (off the record) plugins. And just as we used to use OTR over MSN, Yahoo, AOL IM, etc., so we can use OTR over WhatsApp, Facebook, messages printed in The Sunday Times, etc. In most cases, it could be as simple as just running another app on your phone or a "special" keyboard program that "encrypts" your messages as they are typed.
If your communication medium is untrusted because an unwanted third-party (legally or not) gets into it, you layer encryption over it to make a trusted tunnel. That's what you do. That can't be beat. That works over anything.
I could literally encrypt my dastardly plans for world domination, print them out and publish them in a national newspaper. If the encryption is anywhere NEAR useful, it will make no difference whatsoever and nobody will be able to read it.
Nobody's going to "trust" a foreign entity more just because it's foreign. What you do is not REQUIRE yourself to trust your ISP, government, messaging provider or anyone else, ever, except the intended recipient.
We have spent decades making protocols to make this true. And even "initial key exchange" can be done in full public view with nobody any the wiser what keys we ended up with. That's the whole POINT of encryption.
Measuring traffic size against queries is very disproportionate traffic to compare.
20% of Google queries come in over IPv6. It's that simple.
But one MP4 on YouTube could easily equal millions or billions of such queries. That the content providers aren't pushing stuff over IPv6 for their video CDN doesn't mean it isn't being used.
The rest of the implementation is just reminiscent of the whole range of 6to/in/over/etc.4 technologies. It's basically proxying "extra" IPv4 to/from a reserved address, over IPv4 packets to an endpoint capable of expanding them as necessary. Though traditional routers may be able to route such traffic, it requires all kinds of intermediaries to actually do the work, who could do the same work for IPv6 instead and you'd never need know.
I can't see it. Maybe 20 years ago. Maybe if there weren't everything from 6rd to 6-in-4 to all the other tunnelling protocols then you might able to do something. Fact is, you're not in any mainstream OS or router - they already are. With a 20 year headstart. And actually progressing out - they are all a ladder to the final salvation of native IPv6 for everyone, you're just circling round the bottom of the pit chopping rungs off the ladder.
I can't see it getting or going anywhere.
Sounds like a stop-gap measure to me, and adding an awful lot of complexity into what was a very simple system for routing.
But I'll show you the death-knell:
"Many implementations of the TCP/IP protocol stack have the 240.0.0.0/4 address block marked as experimental, and prevent the host from forwarding IP packets with addresses drawn from this address block"
It will take you longer to find and remove such blocks over the world's legacy systems, in order for their "ordinary" IPv4 network to work as intended than it would to just deploy IPv6.
Hell, adding in use of a SINGLE BIT for ECN basically forced router upgrades world-wide, gave you an option in Linux to turn them off (still there I believe!) which many people used, and which stopped traffic routing to some pretty major destinations. Even when it was supposed to be an unused bit up until then.
Sorry, but it's dead. IPv6 is a specified requirement of DOCSIS, 4G+ technologies, in every major current operating system, accounts for 20% of Google queries and works. Nobody's saying it's perfect, but a far-too-late, far-too-complex system to extend IPv4 use and complicate the routing tables even more just sounds like a terrible solution at this juncture.
As usually the first person to launch on them when they do so...
This article is probably deserving of a reprieve as it's discussing actual problems with IPv6 (rather than praising it and ironically telling us we're all stupid if we haven't already done it) and not discussing home/commercial deployments, but the back-end infrastructure.
That said...
Unfortunately, few guns are ever required to survive even the first shot in order to kill someone.
The problem is not that designs exist... you can make a gun out of a bit of tube if you care enough to.
The problem is that you'll never get an accurate weapon, and it'll turn into an even-more-indiscriminate killing tool.
Honestly, if you wanted to "make something yourself", you'd do more damage to the intended target by throwing a dart at them.
I never understood the "yearly cycle" in the first place.
Philips C12 "Savvy"
Some Nokia Thing
Samsung Galaxy Ace
Samsung Galaxy S4 Mini
Samsung Galaxy S5 Mini
That's every phone I've ever owned since... 1998.
I make that a "once every 4 year" cycle at best. Hell, laptop buying cycles are even less. I've probably owned... 4 in the same time (one every 5 years on average).
Like hell am I going to drop any significant portion of a grand on a whim for a gadget, however useful when my laptops don't cost that and last longer, and I certainly wouldn't do it every year.
In the era of market saturation, you have to be DIFFERENT by being BETTER than your competitors. Not carbon-copying their stupid ideas.
I would happily pay £250 for a device which had a removable battery, a headphone socket, and all the cheapest features you can shove it, and just run plain Android. I can get an Android tablet that does everything I want for half that price, and I bought a toy phone the other day that's 5cm tall and is fully working, dual-SIM with Bluetooth. You're telling me you can't put one into the other with a slightly smaller screen and a battery compartment?
At this rate, I could easily be forced out of using a smartphone and just carry something like a GPD-Win around with me for such things.
When / if my phone dies I'll look at another.
And likely, from what I see, I'll end up with some unknown-Chinese brand thing that has everything I need and just runs Android.
If it appears on the LineageOS compatibility lists, even better.
Chances are that even Samsung (whose products I have historically ended up buying after a process or elimination without any conscious bias towards their brand) are no good to me any more. Too much focus on "tiny, tiny, look what we can fit on the head of a pin" rather than "hey, here's a phone that you can make good use of".
Yet, like with DVD players etc. many years ago, the cheap Chinese stuff does everything without losing all the functionality and STILL looks the same and is the same kind of size as the expensive gear from the famous brands. Oh, and let's you do things like play all regions and skip UOPS.
I can't fathom what they think they are up to at the moment. Make a "Showoff" range and a "Worker" range and a "Home" range and put the fecking connectors and batteries and stuff back into the latter.
If you're gonna make me pay ridiculous money, make it last for me. That means removeable batteries etc. If you're going for cheap-and-cheerful I may suffer such restrictions.
I compare both projects as being very similar.
Both of them were caused by the directors completely mismanaging the business, lying through their teeth and stealing backer's money while throwing it away on things they didn't need to.
In the OpenPandora case, EvilDragon stepped up and made his own business out of it but not before it had lost an AWFUL lot of people's money (i.e. you had to pay ED more to actually get one of the promised things even if you'd already paid OP). Very pyramid-schemey in the end but ED was a nice guy trying to make the best whereas everyone else involved was pretty much trying to splash money on themselves.
In the RCL case, the directors were all pretty much responsible and there was just too much politics to ever have a coherent business. Two directors bowed out, the rest have resigned, and yet only a tiny portion of the units could EVER have actually been finished and the lawyers are vying for monies that haven't been paid, IndieGoGo is (supposedly) chasing with debt collectors, backers are building a class-action-suit-type-thing on other sites, etc. etc. Though Janko may be "innocent" in those matters, they still were associated with the companies until post-release, and the release software is atrocious.
However you look at it, it's not a company that you want to do business with. I followed the OP scandal very closely as I very nearly bought one (I used to program for the GP2X, the OPs "predecessor" if you like, from Gamepark Holdings who just delivered stuff and didn't have this hassle) and though ED personally saved some backers... pretty much I wouldn't want to touch any product that was developed that way.
These people, in particular are being huge con-artists - the project is severely delayed, there's been any number of "next week" promises that never materialised and the final product is a shoddy copy of what you could achieve with a GP2X from 10 years ago, with an off-the-shelf compiled binary of FUSE, and some silly "Hall of Fame" bit plugged into the software that - I think - was never properly paid for and all development on the firmware stopped because of that.
Even Lee Fogarty (another of the RCL contracted-out guys) says that the second firmware was shoddy and unfinished and released in the state he last saw it in, with thousand of bugs filed against it with the authors... who weren't paid so never fixed them.
It's a business scam that I wouldn't touch with a bargepole, and it has NOTHING to do with the product itself (but the product is extremely sketchy precisely because of that). It could be a ground-breaking device, there's no way I'd buy it from those people.
No, the problem is that unless you specifically tell it what to look for (i.e. an algorithm that can identify four legs meeting a seat at right-angles, etc.) then it's picking up arbitrary correlations that you have zero insight into or control over.
It could be recognising bananas by the fact they have 10 yellow pixels, that there's a curve, that they have a blue sticker on them, or any of a billion indescribable criteria that no human would ever attribute as the "essence" of a banana. And you have no (reasonable) way of telling what criteria that is, modifying it without literally shoving your hand in its brain and wiggling it about, or determining what criteria it'll modify that detection with when you next train it on an image.
For all you know, it's training itself on the (C) Getty Ltd copyright on the bottom-right-hand corner, not the photograph at all, but just got lucky enough that you think it's detecting bananas.
While such AI is nothing more than throwing a box of papers at a shredder and hoping it only shreds out the bit of information you want, you have no control over what's coming out of it and thus you get whatever nonsense you're given.
In a million years of training a "conventional" AI, you'll never get it trained on something like this. And you'll never understand it well enough to rely on it, and then you'll never get it trained on something new without a million years of "untraining" on what is a banana and what's a Cavendish.
AI is not "intelligent" in any way, shape or form.
What you're making here - no matter the hype - is a statistical model trained to a very limited set of inputs (there might be 7 billion people in the world, capable of being photographed from billions of angles, wearing billions of expressions, clothes, etc. and you're not training on 1%) over, maybe, a month or so.
Then you get surprised that it can't jam every object in the universe into tight categories based on that training as well as a human who's been doing that for 30+ years constantly with a much higher connection of brain and intelligence and vision than anything the biggest supercomputer can even approach.
Give it up. Seriously. And the more things you teach it to recognise (i.e. not just people and elephants) the worse the problem will get because it cannot infer context like a human. The same way that we can "see" an elephant in a cloud formation, but we know it's not really a giant elephant made of water vapour.
Even then, even with decades of training and human-matching capabilities... it's as good as a minimum wage employee. That's it.
We do not have AI and we're not likely to get it toying about with this stuff that's been around since the 80's and hasn't significantly improved (except in the SPEED with which it will mess up) in all that time.
I have to say, for at least the last decade or so I have been led to assume that if you have the capability to execute code locally, then you have the capability to gain administrative privileges. It's really that simple.
The fix, therefore, is to only let the code you want to run to run locally and deny everything else.
I can't imagine there's a secure system in the world (e.g. military, etc.) that thinks it's a good idea to let a user run arbitrary code in any instance. Approved, verified-source, signed-off code only. Even then you can be compromised (e.g. escaping a web-browser sandbox, etc.).
If a local user get can system privileges on a machine in so MANY different ways, you just can't assume that they won't try, and therefore have to design your security and systems to compensate as much as possible.
The expectation for arbitrary code execution for anyone other than an administrator (already game over) or developer (who probably can mess up your system in a billion different ways, not least compiling exploit code into their programs) is something that I can't justify.
"Certainly, Mr D. You just need to pay Vodafone the £99.99 unlock fee before we can transfer your number."
They aren't allowed to do that now, and you just make it so that they wouldn't be allowed to do that in the future. Unless you owe them money, they are obliged to give you a PAC code for your phone number, which is just the same kind of process. All we're really talking about is going one level down to eSim number instead of PAC code (at worst, making eSims - which can handle dozens of virtual SIMs - add a new fresh virtual SIM, then getting GiffGaff to port your number to that eSim... same phone, same process, some end result).
Look at the wording: Giffgaff take over the eSim, not Vodafone give it up.
At worst, you're in exactly the same situation as now.
I think they miss the point entirely.
It's about saying "My eSim is XXXXXXXXXXXXXX. Please can I move to your service?" Whether you do that online, via the device itself, by entering a code on a signup instruction, or buy "buying" a little card in a newsagent and following the instructions, it doesn't matter. In effect, it doesn't matter whether it's a bit of plastic, there's no need for any stupid menus (that's a rubbish argument if ever I heard one),, etc. You just need a page on a provider's website with a place to enter your eSim number, some kind of text-message verification and, bang, you've changed suppliers to any one you want in the world.
Don't forget - buying a SIM is not the end of the process. You often have to "top up" nowadays before you even start, so there's usually a need to do something beyond just buying the SIM .
In effect, this actually bypasses the need for the SIM number itself, too. All you need know is "this is my phone number" and from there you can port the phone number and eSIM to any provider you like just by asking them.
eSim is a good idea. It's not ground-breaking. But it's a good idea. Why we're all determined to rid ourselves of tiny little slots that take up next to no room and have been shrinking forever, I can't fathom. But if people want that, sure, it's nice and easy.
"Hey, Vodafone, you suck! Hey, Giffgaff! My eSim code is XXXXXXXXX, sign me up!"
"Hey, I've just landed in an airport, taken a leaflet for Spain Telecom, I ring this number, type in my eSim number, it texts me, I confirm, bang I'm online".
Why anyone would state that needs any bits of plastic, interactive menus of contracts or MVNOs or anything else, I can't imagine.
To be honest, I don't get why a Picasso would be worth the money they supposedly are.
Certainly don't see an Apple I being worth anything like the price they're asking, let alone a good long-term investment.
And, let's be honest, many of those bits AREN'T original, as stated, and some aren't anything to actually DO with the Apple at all.
While it works, sure it's a bit of history. But eventually it'll stop working and then it's just electronic junk with a serial number.
But then, to be honest, I don't get why a BRAND NEW Apple product is worth what people are willing to pay for it.
1) We need whistleblowers. That's without a doubt. I hate scummy behind-the-scenes illegal acts more than the next guy, I promise you.
2) Classified information may be a very different ballgame, especially as - in this case - it shows that the agencies WERE already aware of what was going on. It may well be that they act slowly and in secret so as to gain information, deploy agents, etc. etc. about that rather than just ignoring that information entirely (though, you should really watch/read The Looming Tower). So, although the act could in theory be one you could justify, I'd hesitate to say that they were so neglectful in their handling that it needed to become public knowledge.
3) She was a) stupid not to redact documents herself, b) stupid to trust a random outside entity, c) stupid to do all this FROM the place in question (hell, print it out, take a photo or similar, hold onto it for a few weeks, etc. and then the "date of printing" becomes almost moot in correlation terms). She may not have known about the yellow dots but for sure you'd want to distance yourself as much as possible from any printing / dates / times / correlations, no? Unless, of course, you're more interested in making a name for yourself than in the information you're disseminating being acted upon.
4) Like EVERYONE ELSE that claims to support whistleblowers, she was totally let down by the people she gave the material to. Assange is "on the run" (supposedly from the US), Manning went to jail, Snowden had to flee to Russia and co-operate with everything they wanted, and now she's in jail. All it tells me is that you don't want to be a whistleblower no matter how "anonymous" you think you can be, or how many lives you think you're saving - if anything Wikileaks et al have done MORE to prevent people whistleblowing than they have ever encouraged - and most of their stuff has ZERO impact whatsoever, while also posing a NON-ZERO danger to others. Literally the lesson is "don't whistleblow unless you want to spend your life on the run or in prison", given their various histories.
5) What was the end-result? The FBI was already aware, investigating and working their way through the courts. Same as in the other cases... sure, information comes to light. But the outcome is... well... mediocre at best. In anything it bolstered the case that the FBI SHOULD be investigating and still nobody really cares (I mean, I do, but nobody in the US it seems)... it hasn't turned people against the Russians, against Trump, etc. even with convictions now. That's disgusting and disappointing, yes, but it hasn't actually done anything. Like the Wikileaks stuff - sure, the information was brought to light but did anything change because of that? It's hard to determine that it did. Fact is, what you might care about most people don't and it gets brushed over, even if it's murder of civilians in a warzone, etc.
I have a really hard time fathoming why they continue to bother. Sure, if there are genocides, etc. then it needs to come out. But Guantanamo is still an illegal prison on foreign soil with a history of torture and escaping all due legal process, been promised to be torn down by at least two presidents over three terms, and yet it's STILL THERE and people are STILL being held without a proper trial. Who's up in arms about that? Just me, it appears!
People in work swear that there is a Sphere of Influence around me.
Everything starts working once I'm within 12 feet, no matter how many times they tried all the same things. Literally, as I appear, their long-running "never works", "tried that" problem evaporates before I even see their screen or what they are typing/clicking.
One of the best feelings, closing a ticket with "Could not reproduce, user confirmed."
I wouldn't care if they ran OS/2 or DOS.
But could we please just make them so that they aren't so damned tied to that stupid weighing scale thing on the bagging area.
Honestly, just turn it off. If I wanted to steal something, I just wouldn't put it through the till in the first place, and my receipt would always clearly show what I SHOULD have in my possession and what I shouldn't. And likely you'd want to steal things like microSD cards or something expensive-but-light that wouldn't even register, or you'd scan something and then put something weighing the same on the scale anyway. Nobody ever checks, even if you call someone over.
Stick a camera directly in the machine to watch what I scan/place on there, and then turn off the stupid scale thing that whines at me until I manage to arrange the bags in the exact configuration that it needs to sense "previous weight + 0.5g of envelope" or whatever.
Honestly, it's a brilliant technology, totally hampered by a stupid implementation. And, yes, I have seen stores where they turn it off... Poundland sometimes has them. It works so much better without that nonsense.
Fix that and you could run the thing on hand-coded assembler for all I care.
First rule of complaining:
- The only people you have any business complaining to are the people you're paying money to, or the organisation responsible for legally regulating those people.
I *DO NOT CARE* that OpenReach have a problem. That's your issue, because you chose them as a supplier of goods/services. I'm paying *you* money to provide a stated service, who you choose to subcontract to do that is none of my business. If they don't perform to your standards, it's up to YOU to complain to them, not me. You hold THOUSANDS of customers with them, you hold a lot more weight than me anyway. I do not have a single business relationship with OpenReach, of course they won't talk to me (if you don't have an account number with them directly, you almost certainly don't have a relationship).
I'll happily work WITH your subcontractor to diagnose the issue, arrange repair, etc. but I'm not going to be organising that except via you and your direct referral of THEM to ME.
I had this once with a phone ordered from Three. No phone arrived. Waited the obvious 28 days to see if anything happened. Nothing, not even a slip through the door. They said I had to contact Royal Mail. Er... no... not my problem. I paid you to deliver a phone. You failed to do so. Game over. If you want to chase it up, you have the dispatch numbers and accounts, you can do it your end - because YOU paid money to Royal Mail, I didn't. I'm not going to do your job for you and likely can't. Maybe if you didn't send the phone by unregistered second-class parcel service, then you'd be able to track it? (Or, hey, realise that doing so comes with the risk that occasionally you might have to send out a replacement phone?) Your choice of service provider is your problem. All I care about is that I don't have a phone, that I paid *you* for. That one exploded into their threats of a lawsuit (never happened, never does) before I wrote them a snotty letter and recouped the DD cost from my bank forcibly (they phoned 10 seconds later to tell me off, but strangely never did anything about it!).
Talking of legal, it's the same thinking... if you had a MASSIVE dispute over the account/service, would YOU be taking Openreach to court? No. You'd be taking the people you paid money to to court. If they then choose to take Openreach to court for not fulfilling their contract, then that's up to them but it's of no interest to me.
Your grievance is with the people you paid for the service. Nobody else unless you're pulling in industry regulators. And Openreach aren't the regulator. Ofcom would be.
P.S. If your suppliers are that terrible that you're losing customers... time to find a different subcontractor to provide the expected levels of service to your customers!
I imagine Ford et al have to access that information for any serious recall.
The facility therefore already exists for them to poll such data, and spot ownership changes. If DVLA provided a "trigger" for such events automatically (rather than continuous polling) they could easily provide such to the manufacturers. And there would be any number of good reasons to.
The DVLA are actually quite modern nowadays. Insurance, MOT, driving licence, etc. data are all available online via APIs (maybe only to closed companies like AskMID and hire companies but they are there!). And, as people point out, you can even cross your passport and driving licence photos and data for renewing them.
It wouldn't be a big stretch for DVLA to offer an API to the major motor manufacturers (who presumably don't send CSVs of all the new car registrations / serials etc. to the DVLA as they build them but have some kind of API!) to allow them to query all such ownership changes and archive their data making the car available to register again. They don't even need to "notify" anyone who hasn't asked to be notified (e.g. the new owner, no, the old owner who had an account, maybe so!). They just wait for someone to try to register their "new" car again.
To be honest, the tech to register these cars should at least be matching the level of tech in them in the first place, or there's something incredibly awry.
It doesn't matter.
Any modern algorithm that can't survive a chosen-plaintext attack is useless in the modern era. Literally, it's a core requirement.
There is no distinguishing a "rogue endpoint" from a valid one, if you're performing services over the Internet. You should not be able to do ANYTHING that recovers messages or a key in any form, no matter how much you try.
TLS can't explicitly defend against something in a sub-protocol, no. But it shouldn't be giving even the slightest hint about the context of its messages to anybody. Not even those authorised to see them. They have the key and can recover them, everything and everyone else should see something approaching random noise.
That OpenSSL (and presumably LibreSSL) and others have fixed this with a small tweak means it's important enough to worry about. It really doesn't matter what the context is - it's not a secure transport layer if you can determine ANY information about the content, certainly not if that information aids in breaking the encryption entirely.
How do you know if a flight coming in is going to be delayed?
You have to connect to something - the airline, the air traffic control (unlikely outside UK airspace), the other airports, etc. Without that you have no idea if a flight is delayed, thus no idea if the next one has to be bumped down, etc.
You have to have a live connection for this to be anywhere near vaguely useful. That they can't get a redundant connection to Gatwick is ridiculous. They should never fall over, there should be multiple fibres km's apart from each other connecting to different towns at minimum I imagine. Can't fathom what Vodafone is doing running that, to be honest. Unless they're complaining that a 4G backup didn't work (but then... if that's the case... surely that 4G connection just runs from a local leased line, etc.?
That they need a connection isn't the problem. That they haven't got a suitably redundant connection is the problem. It looks immensely like the boards aren't even connected as well as, say, the cell tower in the terminal, or the free wifi.
Flew from Gatwick last week.
Best bit - their app just pops up and tells you the gate number when you've selected your flight, no faffing.
In fact, went Gatwick-Spain-Stansted with only a passport and a smartphone (no tickets, boarding cards, etc.) and it all worked amazingly well.
The BA app is also quite good, especially as they can notify people at each end if you're delayed and it does a countdown to online check-in and your flight.
I absolutely detest flying, I'd like to point out, not because of a fear but because of the faff. However they managed to sort it out this time round and I barely queued at all at any of the airports.
But they still need to sort out departure lounges (i.e. a less humungous duty free to walk through and ignore everything, and more seating!), timings (if I need to be on-time, so does my plane), etc.
Shame that they've messed up, but it actually worked really well for me the other day and I didn't need to bother to check the physical boards at all.
You mean in 2005?
Er... yes...?
"Geographic redundancy" = "buy one each from two different companies, rather than two from the same".
I'm not talking hot-swap, fast-failover, high-availability, but I'm also talking "website doesn't fall over just because someone pressed a switch".
Go hit Google for "site:theregister.co.uk" and change the date range from to 2005-2006. They were just as big, just as sarky about downtime, doing articles about grid-computing, etc. etc.
We're talking the .xxx TLD era, not the dark ages.
So The Reg didn't have a redundant backup elsewhere? Just two servers in the same place?
One day you really need to write an article about the tech behind the site, because sometimes it just sounds quite worrying.
It's like having a bunch of sports journalists who comment on every match but have never had any involvement with the sports themselves.
"VPN to a trusted DNS resolver is my current approach for my systems."
It should be quite easy to set up a DNSSEC -> DNS resolving proxy. Usually such things are nothing more than a standard local caching DNS with DNSSEC verification enabled, such as DNSMasq or Unbound:
https://blog.josefsson.org/tag/dnssec/
(I think DNSMasq now works fine on its own, personally, that post is quite old but presents a second option for you).
SSL/TLS is dependent on DNS being authoritative. Otherwise they can easily pretend to be any domain name and present valid certificates for it.
Now, HSTS and pinning are combatting that but nowhere near everyone has deployed them, and without support for them from the individual websites you visit you would never know. Basically, insecure DNS breaks secure websites. Now do you care?
It also allows code injection - redirect google.com to a page which attacks your browser and then proxies in the content from the *real* google.com. You would never know.
So it's not quite as small an issue as you think it is.
And there is something you can do about it. It's called DNSSEC. Or even VPN to a trusted DNS server. Your computers don't have to support DNSSEC in order to benefit from it - just a trusted resolver using it to verify responses from the root nameservers down, and then passing the information to your machine securely.
DNS, and SMTP, together are the biggest security holes you have in your computer today.
You only accept cash? Then I have several problems with that - I don't carry cash, therefore I won't use you, therefore I won't bother with you, therefore I probably won't even remember to use you again even if I'm walking past the shop with cash in my hand.
Also, it makes me worry about what you're doing tax-wise. Sure, a lot of places deal legitimately in 100% cash. But it worries me, and when was the last time you got a receipt with your fish and chips?
Past that, if you choose a single vendor (in an age where for £50 I myself can get a credit card reader that charges minimal percentages and deposit direct into my bank whether I use it once a year or a thousand times a day) and you can't be bothered to have a backup from another manufacturer, it makes me wonder how important taking money from your customers actually is.
Tougher in a big-brand store, sure, but you should have your own resiliencies and SLA's in such places. But if the chip shop won't take card because "the machine is down", then how long will it be down before you're losing money for the sake of a £50 backup under the counter? I'd say... what... 5-6 customers? That's a fast time to lose money for the sake of your customer's convenience.
And, no, I won't go to the ATM to draw out cash to take into a shop to pay for something. Besides the fact that it's a pain in the butt, it also leaves me with a pocket of change that I don't want. I've seen several people this week alone turn around and walk away because a shop won't take their card. I even saw a guy trying to buy nuts on an airplane and they took no cash, only card.
The tide turned already. Maybe 10, 20, 30 years ago. But nowadays? There is literally nothing that I can't pay for on card... and those places I can't always have a competitor just down the road who will take card (e.g. car parks, etc.).
It lets me track every penny of my money. It lets the taxman track every penny I give them (and I view tax evasion/avoidance as something that crushes smaller companies and competitors and steals my tax-funded resources without paying back). And it's much quicker, more hygienic, less waste (we have to PAY to mould those coins, you know, they aren't made of thin air), and ultimately you're gonna up end cashless in your old age whether you like it or not. You're not going to want to go to the ATM, carry round lots of money, try and squint at the numbers and count it out etc. versus a card that has a password on it and a guarantee of refund if you're ever defrauded.
Legal tender is not up for question here. It's not relevant. But handling *your* cash costs me whenever I use a firm that has to traipse to the bank, piss about with coin handling, security, coin modules on vending machines, etc. etc. etc. The costs must exceed that of handling a card, with a backup system.
If you don't take card, as far as I'm concerned it's similar to saying you don't take Luncheon Vouchers (as were), book tokens, gift vouchers, etc. We all laugh at those people with American Express, but you are literally refusing customer's money and inconveniencing them. Even the pound shops take cards. It honestly can't cost that much to have them.
As such, if they fail, and therefore you can't take money... it's probably not a company I want to be doing business with anyway. They couldn't even be bothered to buy an emergency £50 Zettle-or-whatever reading and stick it in the stockroom.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
